77,000 Steam accounts are hacked and raided every month

Valve, the developers of the Steam online gaming platform, says that its members are facing a serious problem.

Accounts have always been hijacked on the gaming site, by hackers who have stolen passwords, but now the problem is said to have risen twenty-fold, with some 77,000 Steam accounts hacked every month.

Steam accounts are hijacked when a hacker manages to break into an account without the owner’s permission. Often this is done by stealing passwords with keylogging malware, or through phishing for login credentials on fake sites.

And once a Steam account has been hijacked, it is typically raided for items and games, as well as potentially used to compromise and raid yet more Steam accounts.

According to a statement issued by Valve, stolen virtual goods are often sold through a series of compromised accounts before ultimately being sold on to an innocent user.

Valve says that “enough money now moves around the system that stealing virtual Steam goods has become a real business for skilled hackers”. Indeed, according to the firm, practically every active Steam account has “enough value to be worth a hacker’s time. Essentially all Steam accounts are now targets.”

Clearly steps need to be taken if anything is to be done to reduce the fraud occurring on Steam.

Steam Guard Mobile Authenticator is a feature of the Steam mobile app that generates a new random code every 30 seconds. At login you have to enter the code alongside your password. The idea is that even if a hacker knows your password, they won’t know the random regularly-changing code.

Unfortunately, most Steam users have apparently not taken advantage of this increased level of security. I’m sure they all had good excuses (they didn’t think they were targets, they felt they were too smart to have their computers compromised, they didn’t have access to a mobile device), but the truth was that they were putting their account at greater risk by not using it.

For this reason, Valve has announced that it is making some changes in an attempt to make it less attractive for hackers to break into Steam accounts:

Steam accounts which don’t have two-factor authentication enabled will have their traded items “held by Steam for up to 3 days before delivery” – hopefully giving enough time for account owners to spot the suspicious activity, and significantly slowing down hackers who are attempting to rapidly turn stolen virtual goods into money.

Users who have been friends for at least one year, will find items they attempt to trade will be held for “up to 1 day before delivery” – recognizing that the trade is more likely to be legitimate because of an existing relationship.

If you are already using two-factor authentication, however, then you will be able to continue trading without restrictions. Hopefully this is a good incentive for others to embrace the additional security that it offers.

Valve says it recognizes that not everyone will be happy with the changes, but with some 77,000 accounts hijacked every month it’s clear that the service has a major problem and something serious had to be done to cut down on the fraud.

The company says, “We’ve done our best to make the cost as small as possible, for as few people as possible, while still retaining its effectiveness.”

It will be interesting to see what impact the change has, and how the hackers themselves will respond to what appears to be a significant obstacle in their attempts to monetise hacked accounts.

If you’ve been friends for at least 1 year, items will be held by Steam for up to 1 day before delivery.

Accounts with a Mobile Authenticator enabled for at least 7 days are no longer restricted from trading or using the Market when using a new device since trades on the new device will be protected by the Mobile Authenticator.

And don’t forget, each of these computers which has been infected by malware in an attempt to break into a Steam account could also be abused to compromise email accounts, bank accounts and have a myriad of other personal information stolen from them.

Yes, protect your Steam account with two-factor authentication – but harden your computer defenses generally, by ensuring you are not reusing passwords, have a decent anti-virus product in place, and are following best practices such as keeping on top of security patches and being wary of unsolicited emails.

Steam has introduced a couple of new security measures on trading. Unless you have the two-factor authentication app activated on a second device, and have had it for seven days, you’ll have to wait three days for any goods you’ve traded away to be delivered. If you’re trading with a friend of one year or more, you’ll only have to wait one day.

Why? Well, Valve’s theory is that this measure will slow down hackers trading away items from compromised accounts. In order to make money from illicitly obtained accounts, hackers need to get the goods out before the legitimate owner can report the hack and have the account frozen, you see.

Valve could just insist on two-factor authentication, but there are plenty of users who just can’t use the app for whatever reason. These users will have to swallow some inconvenience, but with any luck, the value prospect of hacking an individual Steam account will go way, way down as a result of these holds.

In a fascinating news post on Steam, Valve dives deep into its thinking. It touches on how simply replacing lost goods can affect the economy and fails to deter hackers, why it can’t use a generic authentication app, and most frighteningly, discusses the scope of the Steam hacking scene.

“Enough money now moves around the system that stealing virtual Steam goods has become a real business for skilled hackers,” Valve wrote.

“Practically every active Steam account is now involved in the economy, via items or trading cards, with enough value to be worth a hacker’s time. Essentially all Steam accounts are now targets.”

Steam hacking has become “commonplace”, Valve said, and even smart users with good security are being caught.

“What used to be a handful of hackers is now a highly effective, organized network, in the business of stealing and selling items. It would be easier for them to go after the users who don’t understand how to stay secure online, but the prevalence of items make it worthwhile to target everyone,” Valve said.

“We see around 77,000 accounts hijacked and pillaged each month. Hackers can wait months for a payoff, all the while relentlessly attempting to gain access. It’s a losing battle to protect your items against someone who steals them for a living.

“We can help users who’ve been hacked by restoring their accounts and items, but that doesn’t deter the business of hacking accounts. It’s only getting worse.”

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

1 Comment

I’m with Steam and seen the message of two-factor authentication and decided I wouldn’t trust Steam with my mobile number so I’m willing to put up with some inconvenience when I do buy anything. I also un-tick the option box about keeping the credit card details saved on Steam and again I don’t trust them to keep those details safe so I’m quite willing to put up with the hassle, I wish I didn’t have to but it seems it’s in today’s world this is what we have to live with.